Forgot your password?
typodupeerror
Microsoft Your Rights Online

XP, Phone Home 299

Posted by timothy
from the spot-changing-leopard dept.
Randomeyes writes: "The Register reports that Windows XP has functionality built-in to the Search Companion module that allows Microsoft to log users internet searches. Information collected includes user IP address, search term and related information. A cookie is also set. 'TrustUnWorthy Computing' anyone?" Tanveer1979 writes: though, that "the bright side is that it doesn't send anything to internet, it only downloads files, and compares the files on your computer with the files on server. And I guess a little effort is needed for the malicious to program it to send your data to web."
This discussion has been archived. No new comments can be posted.

XP, Phone Home

Comments Filter:
  • by Anonymous Coward on Friday April 12, 2002 @04:37AM (#3328341)
    I just saw it on my Microsoft Baseline Security Analyzer ©®(TM):

    View Security Report

    Sort Order: Score (worst first)

    Computer name: MYADSDOMAIN \WindozePeeCee
    IP address: 225.-1.65535.1
    Security Report Name: MYADSDOMAIN - WindozePeeCee (04-12-2002)
    Scan date: 12/04/2002 12:00AM
    Hotfix database version: v2.0.10^23+[1/(planks constant)]
    Security assessment: Sever Risk (As usual)

    Windows Scan Results

    Vulnerabilities

    Windows Hotfixes
    1. Local Account Passwords are simple or Weak. Please change them to something overtly convoluted and difficult to remember. It wont matter anyway because the Active Directory Server©®(TM) you authenticate against is probably not patched.

    2. IIS©®(TM) Installed. Please update to Apache 1.3.24 or 2.0.35

    3. JRE 1.4 is installed. Wow. That's even more bloated than the first revision of .NET ©®(TM).

    4. Auto-login is enabled. This is inherently dangerous because this OS has no inkling as to what multi-user means, for whatever reason, everyone is a su-doer.

    5. Passwords are too short. This is weak because the domain controller isn't patched. If you are running Samba 2.2, please disregard this. We can't tell the difference.

    6. File systems. They all appear to be running NTFS. Good (you should have two UPS for this. If its get corrupted, snicker.........)

    7. Your Cell Phone, Palm Device, monitor, printer, hub, DSL router, joystick, speakers, KVM, other PCs, scanner and filing cabinet do not have Client Access Licenses.

    8. Sent all info to Microsoft.

    © 1999 - 2009 (We paid of the US DOJ until then, they only take kick in decade increments), All your rights are belong to us.

    xenon baxter meowmix purina
    • Could not a great deal of these 'features' (annoyances, security holes etc.) be circumvented by keeping a very restrictive firewall between any machines running XP (or any Microsoft OS) and the Internet at large? If the search function fails if it can't report in then clearly this is a problem but if not, simply prevent it from communicating with outside sites.


      There's a reason we keep 800lb gorillas in cages...

      • What's the point?

        Computers should be there to make life easier, not harder. All questionable usability improvements pale when you have to mantain a firewall to use it.- And you have to configure the firewall not to trust the own network. It's not trivial to do such a firewall configuration.

        I know a lot people go incredible lenghts, just to run Windows. - Maybe they should start asking themselves if it's still the easiest/best thing to do?

      • by Shiny Metal S. (544229) on Friday April 12, 2002 @09:27AM (#3329002) Homepage

        Could not a great deal of these 'features' (annoyances, security holes etc.) be circumvented by keeping a very restrictive firewall between any machines running XP (or any Microsoft OS) and the Internet at large?

        Yes, I can see the slogan already:

        Microsoft Windows XP: The most secure system ever built!*

        (*If kept behind an OpenBSD firewall)

        I can also hear a customer buying a computer asking:

        - So, you say that 3GHz and 2GB RAM with 200GB HDD is enough to send emails to my grandchildren on every X-mas? I hope you're right. But will my new computer be also secure against those evil hacker pirates we lately hear so much about?
        - Of course, madam! Just make sure to insert a very restrictive firewall between your computer and the Internet.

        And the problem is solved!

      • Yeah, I can see this one already...

        Me: You need to install a firewall for your home network.

        My aunt: I really don't think the computers are about to burst into flame.

        Me: No, it's a device to protect your computers from harm from outside.

        My aunt: I don't think the Internet is going to send fire into the house either, and anyway you know we disconnect it when not in use and have perfectly good smoke alarms... Really now...
      • If I were Microsoft, I'd send the data through port 80, which you can't block because you can't otherwise use the web.

        I liked the suggestions some had to block Microsoft's web sites. Of course if you use Windows, you probably need Windows technical support.

        If you don't want your search queries broken down and analyzed by Microsoft - an eerie thought even if you're not uniquely identified - simply type

        http://www.google.com

        into your web browser instead of using Microsoft's "easy" search tool. And if you're really (quite reasonably) paranoid, use Mozilla, Opera or some other competing program just in case there's special code in IE to recognize leading search engines.

        Of course if you're REALLY paranoid, go ahead and use MacOS X or Linux.

        Finally, bear in mind that they claim not to save the IP addresses, but it's so useful and so trivial to do that I wouldn't take their word for it. Even they admit it was done during testing. And for many people - including myself, when I'm on my home DSL connection - the IP address really is a unique identifier.

        D
        • Sure you can, just block all traffic to microsoft's ip subnets, that is what I do.... (207.46.0.0/16) probably not all the IPs they have, but the ones I have seen phone home attempts have thus far all been on this subnet..
          • Great - but as I said, if I'm a Windows user, I need Windows technical support. (Fortunately, I'm not :-) ).

            So I guess I would have to selectively unblock parts of Microsoft's empire if I needed their technical support.

            Or, I suppose, search through Google Groups instead ... might be more effective, too. I haven't had to get technical support for a MS product in some time (since I no longer use them enough to need it), but when I was in a position to need it, it was usually just plain impossible to find stuff without professional help..

            D
      • You'd better make that a *hardware* firewall.

        The XP-compatible version of ZoneAlarm (v2.6.2, IIRC) defaults to allowing any "internet-enabled" application to access the net WITHOUT ASKING. The result is that on my shiny new XP install, two XP components tried to make a connexion without pestering me with one of those pesky "Do you want to allow App X to access the net?" boxes from ZoneAlarm.

        Given that insanely insecure default, I'm not so sure I trust ZA all the way around. Especially where XP is involved.

        Oddly enough, neither XP applet (and they were not "Activation" components -- one was some part of Dr.Watson, the other I haven't ID'd yet) tried to dial the modem. If I hadn't checked in ZA's "Programs" list, I'd have never known it happened.

        Kinda like all the "invisible" application and component crashes I see in XP's DrWatson log. :)

      • I use Zone Alarm [while this isn't 100% safe since they can low level access the 'net].

        I don't allow explorer.exe or any other MS app access the net other than IE. Of course this is all they need.
  • by pyrrho (167252) on Friday April 12, 2002 @04:37AM (#3328342) Journal
    they were so forgiving! It's sounded bad to me... but maybe I'm getting out of touch with what it's really doing.

    If it contacts the interent on a local file search, then that's bad. If it contacts microsoft when I search the net, that's bad.

    This "we can't identify you" stuff is a lie that should be well known by now. What they mean is "they don't have your name in the file, we would have to look that up".

    Maybe someone can explain why half the article is about mentioning this doesn't matter?
    • by Alsee (515537)
      If it contacts the interent on a local file search, then that's bad.

      As far as I can tall from the article, what it does during local searches is colossally stupid, but not actually "evil". The only information leakage is the fact that you did a local search, but nothing about it.

      On the other hand, sending a full report back to microsoft about every internet search is nasty.

      Maybe somebody can figure out some way to bill Microsoft for each piece of data you transmit this way :)

      -
    • by carm$y$ (532675)
      Maybe someone can explain why half the article is about mentioning this doesn't matter?

      Maybe because there are far more dangerous things going on, like this [theregister.co.uk], where mplayer "phones home" when playing a dvd, and uniquely identifies itself... now that's something that gives me the creeps.
  • by Ubi_NL (313657) <joris@@@ideeel...nl> on Friday April 12, 2002 @04:39AM (#3328344) Journal
    Isn't this just a cache
    I mean, netscape keeps track of my bwrowsing history. MS Find keeps track of my last searches.
    BASH keeps track of my last typed command.

    Usually this comes in handy. Hell, I can probably code something that will post my BASH command history and my netscape browsing archive onto the net.

    What's the news here?

    • Re:Please explain (Score:3, Insightful)

      by NeoTron (6020)
      Yes, but Bash, Netscape etc. doesn't trasmit that dat back to an 800lb gorrila, my friend.

      There's your news.
      • Re:Please explain (Score:5, Informative)

        by Zico (14255) on Friday April 12, 2002 @05:07AM (#3328400)

        Yes, but Bash, Netscape etc. doesn't trasmit that dat back to an 800lb gorrila, my friend.


        Preach on, brother! Erm, oh wait...

        Newsbytes:
        Netscape Navigator Browser Snoops On Web Searches [newsbytes.com]

        "According to a network traffic analysis performed by Newsbytes, Netscape is capturing Navigator 6 users' search terms, along with their Internet protocol (IP) address, the date Navigator was installed and a unique identification number."


        Hmmm, a unique identification number, eh? So forget logging your IP address with your search (which Microsoft and the other search engines claim not to do), forget gathering demographic data (which the XP Search Assistant also doesn't do), but Netscape is actually using a unique ID numbers to tie searches to specific individual users.


        Wanna try again? ;)

    • Re:Please explain (Score:3, Insightful)

      by Malcontent (40834)
      Maybe maybe not.

      I am 99.999999999999% sure the makers of BASH don't intend to make money off of your BASH history nor did they have any evil intent when they wrote that feature.

      I am about 90% sure MS DOES intend to make money and had evil intent when they wrote their feature.

      In the end evil is as evil does. We'll see what MS does with it.
    • Re:Please explain (Score:2, Insightful)

      by GnomeKing (564248)
      The point is that it is being sent to microsoft without consent of the user

      I believe programs that perform such acts are commonly known as spyware

      while its not supprising that microsoft is incorporating spyware, it is certainly newsworthy that the company who provides the majority of the worlds OS's is using it to spy on what they do (or potentially using it to do so - I have no idea what microsofts policy on the information harvested is)
      • Re:Please explain (Score:3, Interesting)

        by ThePilgrim (456341)
        Microsoft are not listed in the Data Protection register [dpr.gov.uk]. So they are breaking the law by storing any UK citizen's name every time that citizen does an ego search.
        This is especially true if the software was baught through a UK subciduary.
    • Sure bash keeps track of your last command. but how would you feel if it sent this info to linus?

      what if your last command was
      echo "start saving swolb" | sed s/rt/og/ | sed s/aving/unil/ | rev | awk '{print($2" "$1" "$3)}'
      • sure

        I just surfed to www.newyorktimes.com
        Do I care if MS will find out?

        Your issue is a matter of taste, not a matter of law. Treat it as such

    • Re:Please explain (Score:3, Interesting)

      by MeNeXT (200840)
      What scares me is not that Microsoft is just doing it. It's that it seems to be that almost all of companies are doing it.


      When did we let others decide that they can do whatever they wish with our property? I mean did they pay for my computer or did I? If the system was given to me then I can understand that the company who gave me the system has the right to profit in order to pay for the expense.


      I feel that we need better laws to control marketing. Lies should be stopped. If a product does not follow a set standard then they should not be able to mention the standard. IPsec comes to mind. How many poor implementations are there? This accumulation of information should not be permitted unless a written agreement has been approved by both sides. Any changes to this agreement by either party would make it void without a new agreement.


      Imagine that sometime in the near futur someone figures out a way to group all this data together and be able to trace every step you take....


      It scares the S**T out of me and I'm a law abiding citizen.



      /RANT

      • When did we let others decide that they can do whatever they wish with our property? I mean did they pay for my computer or did I? If the system was given to me then I can understand that the company who gave me the system has the right to profit in order to pay for the expense.


        DEVILS ADVOCATE
        You own the hardware, but you only license the software and particularly the OS, and you probably agreed to let m$ do this when you accepted the EULA that pretty much let's m$ do whatever they want and you agree not to hold them liable in any way, shape, or form.
        /DEVILS ADVOCATE

        Yet another entry in my hosts file, to prevent this sort of thing. Yet another reason to only boot windows to play games...
  • I don't know, but every time I read yet another story about MS storing our behaviour patterns, I wonder...

    Why do they want to know what we're doing???

    Is my life particularly interesting? God help the poor lad who has to search through my personal searches...

    +UT +MOHAA +GAMEBOY +ADVANCE +DREAMCAST +GTA3 +N64 +SUPERMARIO +GAMECUBE

    (Note: no +XBOX)
    • This is what bothers me too. It reminds me of a leech that hangs and says, "Do not worry, just a little blood". But yet you still get rid of the leech because it bothers you.

      After having heard the joke played on Bill Gates and Bill's reaction and how MS deals with problems I honestly do think MS will self-implode. And the oddest thing is that it will be their leadership that will cause the self-implosion...
    • Why do they want to know what we're doing???

      Piracy.

      They forget those pirate are sometimes their best salesmen.
  • When I use windows I run win98se(even though I still think it moniters you a little bit in IE) as I don't have to be paraniod about the ways it connects to the i-net, with XP there is time syncing, media player, and a whole load, so much somebody actauly created a program to disable as uch as that person could detect.
    XP=Xerox Personal_Info
    When I dual boot its always to linux, at least I don't have to worry to much about them tracking me without my permision.
  • Next, please (Score:3, Insightful)

    by quintessent (197518) <my usr name on toofgiB [tod] moc> on Friday April 12, 2002 @04:44AM (#3328352) Journal
    the bright side is that it doesn't send anything to internet

    Doesn't sound so bad to me.
  • by fruey (563914) on Friday April 12, 2002 @04:48AM (#3328359) Homepage Journal
    But when we run an application for some local business like a file search, we don't expect it to connect silently to the Net, even for a good reason. When we discover something like this, it feels like someone else is in control of our computer, and that is definitely not a good feeling.

    In the USA, Internet access is usually a monthly subscription and that's it. No phone charges, no charge per minute, just a certain amount of bandwidth per dollar spent.

    In Europe, some people have now got access to 2 types of "free" Internet (neither is free).

    • Free, in the sense that there is no subscription, but you pay local call charges. This is possible because the phone company pays a percentage to the ISP for call traffic generated
    • Free calls, in the sense that local calls are to a no-charge phone number, so you can stay online as long as you like without a per-minute charge, but you have to pay a monthly fee of at least $20 US or more.

    Which brings me to my point. If Internet connections are configured in such a way (as often they are) that the connection happens transparently because the username and password are stored, then people are going to pay call charges to search their local disk. If they don't realise this (especially in the case of ISDN connections) then they may run up quite a bill when they do an extensive search every time they lose a file.

    I don't like this Internet-integration with the desktop in the OS. Sure, if I want it to happen, I can download some software helper. No doubt by hacking the registry or something equally scary for any novice user, you may be able to switch this off. But it reeks of abuse of my phone line.

    It's interesting, no, that Microsoft do not necessarily take account of the European market when it comes to actual Internet access. Sure, they do multi language support but what about this particular Internet case?

    I have clients who have been caught with huge bills due to shit like this before. Like transparent connections happening when they are not surfing when connected to an ISDN router which connects when any packet that is non-local causes a router to connect. I know that this can (and is) fixed on the router with better access lists, but the packets themselves come from crappy Microsoft things like MSN Messenger trying to auto-connect at boot and various SMB packets.

    It's time that the Internet was a separate part of the desktop. Plenty of people embrace the Internet, but many others will not, especially in countries where it is still expensive just to stay online an hour costs me $2. That's right, a crappy 33.6K connection costs me $2 due solely to phone connection charges.

    • Which brings me to my point. If Internet connections are configured in such a way (as often they are) that the connection happens transparently because the username and password are stored, then people are going to pay call charges to search their local disk. If they don't realise this (especially in the case of ISDN connections) then they may run up quite a bill when they do an extensive search every time they lose a file.

      Yes, but ISDN isn't all that popular. Most people who have per-minute connections are modem users who definately WOULD notice if their machine was trying to connect in the background.

      I don't like this Internet-integration with the desktop in the OS. Sure, if I want it to happen, I can download some software helper. No doubt by hacking the registry or something equally scary for any novice user, you may be able to switch this off. But it reeks of abuse of my phone line.

      IMHO, internet integration is a good thing. I like the net integration with KDE for instance. However, the type of "internet integration" Microsoft practices is not normally to the benefit of the user. This doesn't invalidate the whole concept though.

      It's time that the Internet was a separate part of the desktop. Plenty of people embrace the Internet, but many others will not, especially in countries where it is still expensive just to stay online an hour costs me $2. That's right, a crappy 33.6K connection costs me $2 due solely to phone connection charges.

      Better get a flat rate connection then. Per-minute connections are good for low-level users, the type that check their email once every couple of days etc.

      • by fruey (563914) on Friday April 12, 2002 @05:51AM (#3328482) Homepage Journal
        Yes, but ISDN isn't all that popular. Most people who have per-minute connections are modem users who definately WOULD notice if their machine was trying to connect in the background.

        Where are you from to generalise like that? ISDN is very popular here, where DSL is not available at all, and regular phone lines suck.

        IMHO, internet integration is a good thing. I like the net integration with KDE for instance. However, the type of "internet integration" Microsoft practices is not normally to the benefit of the user. This doesn't invalidate the whole concept though.

        Only if Internet is not expensive (my whole point).

        Better get a flat rate connection then. Per-minute connections are good for low-level users, the type that check their email once every couple of days etc.

        I don't live in Europe. I am giving Europe as an example. I live in Morocco. There is NO SUCH THING as a flat rate connection buddy. That's why it costs me $2/hour whatever I do, unless I can kick down $400/month for a 64kbps leased line. Yes, that's four hundred bucks.

    • That's a truly good point. I happen to have an ISDN modem by my side, and I am tired of switching it off as soon as the 'connecting' dialog box pops up. Being ISDN, you have to be as fast as lightning, otherwise you are paying another call (first three minutes are always billed, so bad luck if you are connected just for 5 seconds).

      In many countries, flat rates are just during off-peak hours; for instance, mine starts at 18:00. Now that every single application or operating system component feels entitled to call home whenever it wants to, having an external modem you can physically switch off in tenths of seconds really pays off.
    • In the USA, Internet access is usually a monthly subscription and that's it. No phone charges, no charge per minute, just a certain amount of bandwidth per dollar spent.


      Generally, but NOT necessarily true. ISDN is a good example which others mention. Also, some places like New York City have message units on residential service. Keep making more calls and you pay more $$. And the small business user that uses ISDN or dial-up service? They are on message unit type services in many more places where flat rate service is available for residential service but not business service.

    • It's not just Internet bandwidth it's using without your knowledge or consent, it's LAN bandwidth too. PCs on your LAN, each using up an uncontrollable percentage of your or your company's personal bandwidth.

      It's not just this file search net connection. Automatic Windows Update in XP does auto-downloading in the background by default if you follow the wizard.

      If MS built air conditioners, they'd design them to run full-time. They have zero consideration regarding automatic resource consumption.
  • by pryan (169593) on Friday April 12, 2002 @04:51AM (#3328367) Homepage
    Obviously this isn't surprising. You have information Microsoft could possibly sell, and it is certainly information they can use. Of course they're gonna try to get it, and try to keep it quiet. This is happening more and more often, and it's everyone, not just Microsoft.

    I do use XP, mostly as a gaming platform, but I use Mozilla, and when I'm not playing games often I am running Linux on the same box. This doesn't have me worried one bit. Some people are gonna get all in a twist about this, but this is just a small step towards the ultimate goal: human batteries. :)

    This does make me wonder, however, since Microsoft is causing bandwidth to be used on my network for activities I have not expressly envoked, can I charge them for use of my connection?

    I say, charge them for use of my bandwidth. They won't get it free out of me. I just wonder where do I send my bill..
    • You bought their software (Windows XP) and you accepted their EULA. I dont think you have much money to collect from Microsoft, sorry.

      my 2 cents
      • You have information Microsoft could possibly sell

      Bah, it's just more idiots burning money on a slightly refined version of the .com business plan:

      1. (New step) Find out what people are searching for.
      2. Give away a great product to gain mindshare.
      3. ...
      4. Profit!

      Who is it that keeps telling us that demographics information is valuable? Marketeers. Nuff said.

      • i would love to see some marketing budgets at a few large corporations. sure they're a fruty mac using department, but they get lots of $$ from the company, and somehow they're able to prove their worth. demographic type information shows it's worth.

        sales and marketing are number games. the more numbers you have the better you play the game.
          • somehow [marketing departments are] able to prove their worth. demographic type information shows it's worth

          Pish tosh. Established companies spend a fixed proportion of their revenues on marketing. There's no justification required, it's simply one of those things that you do if you want to attract corporate investors. Too much or too little, and you look different and are a bad risk. I know this for a bare naked fact, as my own company is about to lay off half of the marketing department due to a sales slump. The ironic part is that we've just completed a kick ass product, and we actually need marketing droid to pimp it to customers, but we also need short term investment, and we are simply spending too much on marketing to attract any.

          There's no logic to it, no connection between marketing and sales: our sales drop was because we had a crap product, not bad marketing, and now we have a great product but a bad reputation and a desparate need of marketing. There's no rhyme or reason to marketing, just complying with industry standards.

        • I hate to say it, but there is a huge relationship between marketing and sales. Our economy is driven, to a large extent, by marketing. When you spend more on advertising, sales almost always go up. Large companies spend outrageous amounts of money on marketing and advertising. Any sociology or marketing class will tell you that.
  • by cdf12345 (412812) on Friday April 12, 2002 @05:00AM (#3328384) Homepage Journal
    Ever heard the idea that if you throw enough "crap" at a wall something is going to stick. With all these companies suddenly forgetting how to treat their customers, it takes a lot of action by informed people to oppose things like this.

    I fear that we risk spreading ourselfs thin in the upcoming onslaught of unreasonable software, privacy policies.
  • by nmg196 (184961) on Friday April 12, 2002 @05:03AM (#3328394)
    This is stupid. Why are people being so paranoid? Of course a search engine needs to know what you're searching on! You reckon Google doesn't log what you searched on? Or your IP? Of course it does... Stats are valuable - even if you don't sell them to anyone. The Register is known for spamming it's own front page with poorly written "non-event" news stories written by poorly informed editors feasting on hype from other news sites.

    I'm disappointed in any slashdot editor who thinks we need these stupid articles pointed out to us.

    Nick...
    • by Hektor_Troy (262592) on Friday April 12, 2002 @06:23AM (#3328544)
      Sadly the two posters above me haven't read the article properly.

      True, when searching local files and intranet, nothing about that search is sent to Microsoft.

      Now, I haven't used XP, so I don't know how the Search Assistant works, but apparently you can tell it NOT to use MSN for searches, but something like Google. I don't mind Google collecting info about my searches, but I do mind when Microsoft collects info about my searches on Google - that's simply none of their business.

      As a poster above me mentioned, many people in Europe have to pay for the call-time they use when surfing. Why should they have to pay a minimum of 5 cents to their ISP, just to search their own harddrive? I can't think of a single good reason for that.

      Read this post: http://slashdot.org/comments.pl?sid=30967&cid=3328 359 [slashdot.org] for a good comment on that subject.

      The privacy statement for Search Assistant has the following provisions, which is what I base some of my arguments on:

      http://sa.windows.com/privacy/ [windows.com]

      "No information is ever collected by Search Companion when you search your local system, LAN, or intranet for any reason."

      "When you search the Internet using the Search Companion, the following information is collected regarding your use of the service: your IP address, the text of your Internet search query, grammatical information about the query, the list of tasks which the Search Companion Web service recommends, and any tasks you select from the recommendation list."

      "Search Companion does not record your choice of Internet search engine, and does not collect or request any personal or demographic information. Information collected by the Search Companion cannot be used to identify you individually, and is never used in conjunction with other data sources that may contain personal data."

      Now, like I said, I don't use XP, I don't know how Search Assistant works, and I probably wouldn't even use it, but it's still a bad thing to do for two reasons:

      1) Making people pay their ISP/phone company to search their local harddrives.
      2) IF I can make Search Assistant use another search engine (like Google), it's none of Microsofts business what I search for. If I can't use another search engine, then obviously Microsoft has to know what I'm searching for.
      • You left out a small part of the Privacy Policy:

        Microsoft will occasionally update this Statement of Privacy to reflect company and customer feedback. Microsoft encourages you to periodically review this Statement to be informed of how Microsoft is protecting your information.

        Basically, this policy is in effect until MS decides to change it. When (not if) they decide to change it, any information they have already collected will be subject to the _new_ privacy policy.

        We've seen it happen already with Yahoo!, among others.

  • by miklernout (444473) on Friday April 12, 2002 @05:05AM (#3328396) Homepage
    It states very clearly that it only attempts to download certain files when searching on the local machine / LAN / ... and DOES send information to a *.microsoft.com server when searching on the internet through the utility.
    • I'm starting to wonder if these trolling articles bashing Microsoft are a just a plot to get us to read articles and see those new ads. This comment at the end of Timmothy's summary is what got my attention.

      Tanveer1979 writes: though, that "the bright side is that it doesn't send anything to internet, it only downloads files, and compares the files on your computer with the files on server. And I guess a little effort is needed for the malicious to program it to send your data to web."

      The last line about a little effort needed for the malicious program is just pure speculation. With a little effort you can send the contents of /etc/passwd to the net and I suppose with a little effort you could send a full inventory of your installed RPM's to the net too. It doesn't mean it is happening though. This is just plain irresponsible journalism here, if you can call cutting and pasting user submitted links journalism.
    • When searching my own PC it does attempt to connect to the internet.

      So go figure.
  • It's really quite pointless complaining about privacy problems in Microsoft software -- The OS and its associated MS apps are so rife with security bugs that any script kiddy on the Internet can break in and obtain access to your closest-held secrets anyway, so complaining about additional bugs/features like the one described in this article is essentially useless. Let's face it, would less of your personal information be available to Microsoft if they didn't gift-wrap your search terms and send them to Redmond?

    If you've deluded yourself into thinking that changing the behaviour of their search feature would make a difference, consider this: Microsoft is just as capable of being the aforementioned script kiddy as anyone else is.

    Until MS fixes the underlying security problems in their OS, anyone who uses it is implicity acknowledging that they don't care about their privacy. If someone really wants to protect their privacy, they'll put in the small amount of additional effort required to run on a system which doesn't leak their data like a sieve.

    • that is trolling: (Score:2, Insightful)

      by leuk_he (194174)
      This post does not add anything:
      -he says no more personal info is available with this, and how: some babling about script kiddies.
      -He is against MS, but fails to tell why.
      -What underlying security problem?

      By not mentioning the security problems he follows the MS policy of not revealing bugs until a fix is available. 8-}

  • Did anyone here stop to think that maybe the following is true:

    There is a malicious group of programmers inside Microsoft that add code to the things like search-assistant(or whatever its called since i don't use it) and other products that explicitly do things that are BAD .

    Microsoft probably doesn't even know the group exists! Come on Would microsoft really want anyone's personal information or surfing habits? This is obvioulsy the work of some malicious koders!!!

    Well that or collusion with the DOJ in exchange for dropping the lawsuit they put this feature and send IP's to the DOJ of anyone searching for kiddie porn ;)

    Burn my karma!! haha i thought it was funny!!
  • by Observer (91365) on Friday April 12, 2002 @05:09AM (#3328403)
    The writer makes the point at the end that it's not so much what is being done that is the problem, but the fact that it's done without telling you and without giving you a choice about whether you want it to happen.

    To which I'd add, it also shows a problem with the culture in the organisation that makes the stuff. It's not so much arrogance, but something more akin to carelessness: an inability to appreciate that other people - including some of your customers - may have different criteria and preferences than yours. I personally doubt whether the people who developed this even thought to ask themselves whether this behaviour would be considered reasonable, nor that it was ever considered in any formal reviews that may have taken place. And it's far from the first time that I've got that impression about MS: their use of that reserved field in the Kerboros protocol feels similar: not so much malicious as just a failure to know and appreciate the etiquette that had grown up in an area that they were entering for the first time.

    • The writer makes the point at the end that it's not so much what is being done that is the problem, but the fact that it's done without telling you and without giving you a choice about whether you want it to happen.

      Ermm, it says in the article that it tells you exactly what it does in the "privacy statement". So this is right out in the open, in the documentation! Really, I don't think there is any controversy here.
  • Host file. (Score:3, Informative)

    by AVee (557523) <slashdotNO@SPAMavee.org> on Friday April 12, 2002 @05:11AM (#3328407) Homepage
    I don't have an XP box handy, but I'd like to see what happens if you change add sa.windows.com to the host file and make it point to 127.0.0.1. Or to some other server. It would be nice to be able to send other files then the ones MS wants you to get...
    • Then it'd be nice to see how WindowsXP reacts to an "updated" privacy policy (new document date/id, slightly different document) on that server.
  • heh (Score:2, Funny)

    by waspleg (316038)
    irony? as i read this the banner ad the top is for OSDN's GEOTARGETING (targeted advertising)

    *cough*
    i wonder where they get/got the info
    *cough*

    ** The preceding was not a troll, all opinions expressed are the authors which may contain forward looking statements and all of which is entirely speculation ;)
  • These sorts of "MS is spying on us" articles are
    nothing new and to be honest everyone knows what
    the answer is if you don't like it - don't use
    a Windows OS. There is Linux and 3 versions of BSD
    to choose from and for the fluffies who can't handle
    them you can use MacOS (old or new).
    MS will continue to do this because
    A) Its not illegal and probably never will be
    B) 99% of users are to computer illiterate to know
    what their computer is doing or simply don't care

    When MS makes Office an online subscription system
    they'll be downloading far more than just your
    IP address and search text so if you don't like
    the MS vision of the future GET OUT NOW! You have
    a parachute , its called Open Source.
  • Ah Microsoft stop the secrecy.

    The actual act of aggregating search engine data itself it not particularly bad, its just the way the have to keep all this stuff secret, even if they're doing something innocent, they make it look sinister and because of their history it looks pretty bad, whatever the real reason for doing this.

    For marketing reasons, I can see it being useful information to a lot of companies, if they are strictly aggregating data as they say.

    Is this for use on MSN etal, as obviously to sell keywords they need to know generally what words are the most popular, and they can't do that without aggregating data about people search preferances.

    Is this any different to say googles toolbar, Ok before I get flamed I know google do it right and gather info on an opt-in basis, but all search engines want to know information about our browsing habits, thy've got to make money some how.

    Microsoft don't seem to be doing anything really bad here, its just like their software the problem is with the implementation, if they only made it absolutely explict they were doing this it would not be a problem.

    Microsoft you build in cookie management to IE and then build in 'freatures' like this without any opt-out, you're just asking for bad publicity here. Guess it must be the pointy haired marketdroids at work.

  • by JohanV (536228)
    This is a very dubious action of Microsoft. They presume there is a difference between the internet and the LAN, and for starters I am not so sure whether that difference actually exists in all cases. Furthermore, I doubt whether they can actually make that difference even if it exists. Take for example how I search the intranet at Uni.
    I usually just hook up to the intranet at Uni with my laptop. But the intranet consists of an indisquishable part of internet, 3 separate /16 networks exclusively for our Uni. I search the network of my University using an internet search engine which has some affiliate program to work for our Uni.

    Can anybody enlighten me as to whether the search in Windows XP would phone home my search strings? I am quite happy not using XP at the moment, and news like this makes me think that not upgrading was the right decision.
  • by cipset (550887) on Friday April 12, 2002 @05:54AM (#3328486) Homepage
    When I first saw the title I thought

    "Ok it will phone home, that means that soon we will get rid of it"
  • RTFA (Score:5, Insightful)

    by evilviper (135110) on Friday April 12, 2002 @06:04AM (#3328509) Journal
    Would you all kindly read the damn article before you start your ranting.

    It all boils down to the fact that when you use the file search tool, it connects you to the internet and downloads a privacy policy type of file.

    That's it, the end. Period.

    When you are on the internet and perform a web search through XP, they log what you searched for... Even google does this for purposes of finding the most popular sites, and creating a table of the most popular searches and all that. This subject is not only trivial, but misleading in the context of the article... They quickly switch from talking about an offline file search which downloads a single text file when you first use it, to a completely different subject of a search tool recording what you searched for.

    Of course, the ironic thing being that this web search tracking is no worse than the Netscape 6 tracking discussed a short while ago.

    And if you haven't heard it enough so far, local file searches download a single damn file when you first use it. May seem a stupid thing to do, but it's not phoning home, it's not tracking your habbits, etc.
    • Re:RTFA (Score:3, Insightful)

      by djmurdoch (306849)
      It all boils down to the fact that when you use the file search tool, it connects you to the internet and downloads a privacy policy type of file.

      I think it also downloads a few other files, but the privacy policy file is the one to worry about. How is the user supposed to stay informed when Microsoft's privacy policy can be changed every time you search for a file on your disk?

      Me, I like to know what the policy is. I can decide whether I like it or not. I don't want a company changing it every day.
      • The court ruled (regarding Netscape's license specifically) that no license is enforcable if it was not explicitly agreed to by the user. I.E. if it asks 'do you accept this agreement', say no. If it doesn't ask you, it is not binding.
    • Start thinking (Score:4, Insightful)

      by gotan (60103) on Friday April 12, 2002 @08:18AM (#3328779) Homepage
      Hey, it only downloads a file, so let's stop thinking now. There are some things bothering me here though, but maybe you can help me with it, so i can soon embrace blissfull ignorance again:

      Do the other downloaded files alter the system behaviour in any way? They're providing information connecting file-extensions to file-types at least, and that might have some impact on a windows system. And if they don't do anything at all, why download them? Maybe i'm using a special app with uncommon file-extensions and took some pains upon me to make the system recognize them. Will that work be undone with every search query?

      Then "downloading" is not a onesided action. To download a file i have to establish an internet connection, and in that process all kind of information is transmitted, not just the ip. I don't think someone concerned with network security of some larger corporation would be too happy about all their desktop machines sending out packets announcing their ip, the number of hops to them and the type of their operating system beyond the firewall to a specific location without need. Also why should anyone trust Microsoft not to collect all that ip-addresses to compile a nice list of windows-XP installations, maybe to set up a BSA-raid?

      And finally: Why do such a "stupid thing" as downloading a privacy statement for an action that can be performed locally? Just to get some load on Microsofts server? Microsoft is paying for that bandwith, so why put extra load on it? Well, maybe someday in the future Microsoft will quietly decide to change their privacy policy and start collecting information about your local/intranet searches. But there's no need for you to know that. Only your Operating System needs to know.
      • Do the other downloaded files alter the system behaviour in any way?
        You know, it doesn't matter at all. If it screws up your system or not is of no importance. We want to know if it is spying on you. It downloads a file, the same information that you spill out when opening internet explorer (to msn.com) CAN be collected. That means your IP address, connection speed, ISP, and that's just about it.

        And if they don't do anything at all, why download them?


        According to the freaking article, which you sure as hell must not have read: This is done for P3P compliance. That's it.

        Microsoft is paying for that bandwith, so why put extra load on it? Well, maybe someday in the future Microsoft will quietly decide to change their privacy policy and start collecting information about your local/intranet searches.


        Look, Linus could change the linux kernel to periodically post information about your machine to his site. So why not go after him? Simple, because IT DOESN'T DO THAT. If/When XP starts sending information about you, THEN you can complain. You can't whine about that fact that it is POSSIBLE. It's possible that Office will start inserting a Microsoft logo into every document you create... Why aren't you complaining about that? Simply because it DOES NOT DO THAT YET.

        Have I been clear enough?

        Well, maybe someday in the future Microsoft will quietly decide to change their privacy policy and start collecting information about your local/intranet searches.


        Yeah, that would be a bad thing. Problem is, you never agreed to let them do that. So, if they change their privacy policy, you must click the agree button before they can do anything of the sort. If you do not agree, they can't legally take away the functionality that you had before.

        Like Media Player 7.1... If you had 6.4 (which didn't spy on you) you could NOT be forced to upgrade to something with a more restrictive license that you haven't agreed to (WMP7). And they certainly can't force you to get rid of Media Player 6.4 because of it.
  • ...which you can read here [windows.com].

    The interesting thing about this story is that it highlights the fact that nobody actually reads the MS EULA or Privacy Statements. Instead we need to wait for a journalist to make the "shock discovery" months later.

  • 1: Such info gathering would make it a lot easier for MS to know what people search for and possibly deploy their own 'Google' style search engine. -- A possible revenue stream if the whole .NET panacea doesn't work out financially.

    2: Who's to say that once this 'blows over' as a privacy/security issue in the press, the process is re-incarnated as a more invasive version (e.g.: pass back LAN and local filesystem searches, flag users searching for 'warez', send passport account IDs with each transaction, etc.) Such a change could be effectively hidden in a 'security patch' with some vague legalese hidden 19 pages into the supplementary EULA to make it officially 'legal'.

    Just my $.02
  • by Rogerborg (306625) on Friday April 12, 2002 @07:33AM (#3328679) Homepage

    For those who don't know, Thomas C. Greene is the Register's equivelant of Jon Katz. His job is basically to find things to be angry about, and he does that very well indeed. He has just enough technical savvy to appear credible (think Steve!!! Gibson!!!!!), but that doesn't actually give him any deep cosmic insights.

  • DPA? (Score:2, Interesting)

    by Anonymous Coward
    Im a UK citizen, and under the Data Protection Act (1984) any company, PLC, sole trader or otherwise is required to comply with the DPA.

    Part of this act entitles me to phone Microsoft and ask then to enumerate every byte of information they hold on me within a reasonable time period for a fee of no more than £10.

    They are also required to have my explicit permission to store any data about me.

    Intersting to note they would be breaking various laws by storing data of any form on minors.

    Faggots.
  • Interesting article ... just installed XP on a computer at home. I've looked around for any way to disable that Search Assistant's behaviour with no luck.
    I guess the quickest way in dealing this, is to block the domain on your firewall. It's probably the fifth or sixth domain I've had to add to the FW at home due to some app wanting to phone home.

    At work we discovered that the Inktomi search engine was trying to e-mail itself some info about our company searches. Inktomi claims that that the program only sends information about the top-level domain queries? Has anyone else seen this?

    • Interesting article ... just installed XP on a computer at home. I've looked around for any way to disable that Search Assistant's behaviour with no luck.

      I hope you didn't try too hard. Microsoft wouldn't want you to accidentally bump into the help file or an article on the web telling you how to do it [microsoft.com]. The bastards!

      For all you folks who bitch about how Windows is dumbed down, now you know it's because of idiot users like the poster who can't even RTFM.
  • for instance , you're not supposed to connect to the remote assistance feature using VNC. M$ also reserve the right to inspect the contents of your hard drive and disable unlicensed software (also on behalf of other firms). There is a whole host of this in the EULA which is why I won't use XP for home use and limit what I'm prepared to use XP and .NET for at work.
    Netstat your machine every once in a while and check out what state various ports are in (i do it habitually)
  • Everytime some little, isty bitsy, not even fully investigated thing about Microsoft comes out, the Slashdot community immeadeately bashes it. Sure Microsft has done some bad things, but this hardly qualifies as something to worry about. If they want to know I do searches on their stuff, Linux, Digital Cameras and things like that then so what! It's not like I am handing them my credit card! Also, this probably qualifies as something for those slippery slope folks to panic about too. Yeah, it's interesting, but who said you have to use the search button in thier browser?? Can't you just use google?
    • It's this simple: We think that WE should be the ones who decide what our computers do, not MS. No, i don't really care if they know what my web searches are for. What I care about is the attitude that they are entitled to that information. I want the opportunity to specify that I don't care.

      The local search stuff is just messed up. There is NO rational reason to download files just because I did a local search. None whatsoever. Since there's no logical reason for it, I find myself assuming that theres a nefarious purpose behind it.

    • If they want to know I do searches on their stuff, Linux, Digital Cameras and things like that then so what!

      The point is simple, and one some people seem to miss time and again. I decide what my computer does and does not do; I decide who gets to access it. You don't get to decide and neither does Microsoft - it isn't your concern or theirs. It isn't your right or theirs.

      My privacy is my own and I'm the one who makes up the rules about it. If you object, then pass a law that invalidates my rules. Otherwise it isn't your business, and it isn't Microsoft's business.

      And before you say anything about a EULA, please not that a EULA is not a valid contractual agreement in the United States.

      Max
      • You still decide....if you run firewall software other then Microsofts built into XP stuff. Even then, there's probably a way to do this. Also, noone is forcing you to run XP. You can always run Linux, or whatever. I am choosing to run XP because I have a couple of issues with Linux at the moment. Nothing big.....it runs, but I need something that works right away, all of the time. I don't have the time with learning AIX and all of the other crap I have to get down THIS year to mess with trying to get it to work in Linux as much as I want to. If I had unlmited time and money, I would have a kick butt Linux system. Right now, I can't affor dto go buy two or three video cards and figure out which one works the best with MY system(my Geforce 2 works good, but for some strange reason I cannot see boot messages when it's booting and I have tried every thing). Windows XP, with all of it's faults, is not a bad OS. Also, you should remember, as rich as Microsoft is, noone can build a computer that can have all of the stuff people claim XP sends to Microsoft(hardware inventory, this other stuff today, WPA), if they stored this info in perpetuity, do you have any idea how big the server would need to be to hold multiple records on each person/copy of XP that is registered?? It boggle my mind! Also, one other thing that erks the crap out of me with people like you is you say it's EEEEEVIL if Microsoft does it but it's ok of Netscape/Mozilla/Konquerer does it?? Pretty damn hippocritical to me!

  • IANAL, however this probably illegal under UK (& EU) Law.

    In the UK we have the Data Protection Act, which states that a Company may not share personal data with others, without the Data Subjects permission. They may not send Personal Data abroad, unless the data is equally protected 'abroad'.

    http://www.hmso.gov.uk/acts/acts1998/19980029.ht m

    The Data Protection Act comes from EU treaty obligations so similar laws exist throughout the EU.

    http://europa.eu.int/comm/internal_market/en/med ia / ataprot/inter/con10881.htm

    We need a UK XP licensee to complain the the Data Protection Registra, I not a XP user so I'm not in a position to complain.

    http://www.dataprotection.gov.uk/
  • Regardless of whether it's done in the OS or in their search engine or whatnot, the very idea of associating searches with particular individuals (or even particular computers) is a dangerous one. For example, what would happen if you decided to search for "metallica mp3" ? Don't you think it's entirely possible for Lars to demand access to those logs, and use entries like that as "probable cause" to raid your home or business for pirated music?

    Scary indeed.

What the large print giveth, the small print taketh away.

Working...